Following on from notification by the ICO of its intention to level significant fines against British Airways and Marriott International for their respective data breaches (£180M & £99M), enforcement has calmed a little since.
The majority of fines recently publicised have been levelled against the DPA 1998 penalty regime and largely relate to offences around marketing without consent or the illegal sharing of personal data. So should you worry about the potential of some form of enforcement action? Simply – yes!
Private individuals are slowly gaining a better awareness of their rights largely due to the multitude of privacy notices they’ve encountered since GDPR implementation. Among those rights publicised is their right to raise concerns with the regulator. Whether they have legitimate cause to complain or not, increasing numbers of data subjects are lodging complaints with the ICO and this invariably increases the chances of any business coming under scrutiny by them.
Should this be the case, regardless of guilt in respect to the complaint, an investigation may well uncover elements of the law which the business is found not to be compliant with and may therefore result in some form of enforcement notification or worse a fine. So while for most businesses the risk of receiving a headline fine for a breach like those above is not likely, there is still a growing potential for those businesses who fail to address legal compliance adequately to face regulatory action and suffer the reputational damage this can cause.
If you’re considering bringing in support, please contact me for a confidential chat.